malwarewikiaorg-20200223-history
ILoveYou
''' '''ILOVEYOU, sometimes referred to as LoveLetter or LoveBug, was a computer worm that attacked over ten million Windows personal computers on and after May 5, 2000. Memorable for its "LOVE-LETTER-FOR-YOU" attachment and "ILOVEYOU" subject line, was one of the early worms to gain a great deal of media attention. It was also one of the first to reportedly reach a multi-billion dollar damage toll, being one of the most dangerous viruses. This worm program was written by two young Filipino computer programmers named Reonel Ramones and Onel de Guzman, a student at AMA Computer University in Makati, Philippines. The author of the worm has conceded that he may have released the malware by "accident". The worm was first discovered in Hong Kong. Messages which were generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as "safe" by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment to generate millions of more messages that crippled mail systems and overwrote millions of files on computers in each successive network. On 5 May 2000, the developers of the worm became targets of a criminal investigation by agents of the Philippines' National Bureau of Investigation. Local Internet service provider Sky Internet had reported receiving numerous contacts from European computer users alleging that malware (in the form of the "ILOVEYOU" worm) had been sent via the ISP's servers. After surveillance and investigation by Darwin Bawasanta of Sky Internet, the NBI traced a frequently appearing telephone number to Ramones' apartment in Manila. His residence was searched and Ramones was arrested and placed on inquest investigation before the Department of Justice (DOJ). Onel de Guzman was likewise charged in absentia. At that point, the NBI was unsure what felony or crime would apply.11 It was suggested they be charged with violating Republic Act 8484 (the Access Device Regulation Act), a law designed mainly to penalize credit card fraud, since both used pre-paid (if not stolen) Internet cards to purchase access to ISPs. Another idea was that they are charged with malicious mischief, a felony (under the Philippines Revised Penal Code of 1932) involving damage to property. The drawback here was that one of its elements, aside from damage to property, was intended to damage, and de Guzman had claimed during custodial investigations that he may have unwittingly released the worm.12 To show intent, the NBI investigated AMA Computer College, where de Guzman had dropped out at the very end of his final year.11 They found that, for his undergraduate thesis, de Guzman had proposed the implementation of a trojan to steal Internet login passwords.13 This way, he proposed, users would finally be able to afford an Internet connection. The proposal was rejected by the College of Computer Studies board,12 prompting de Guzman to cancel his studies the day before graduation. The ILoveYou worm caused widespread e-mail outages. More than 45 million computers around the globe have supposedly been infected by various strains of the worm. The types of industries affected include stock brokerages, food companies, media, auto, and technology giants, as well as government agencies, universities and medical institutions worldwide. The Ford Motor Company shut off its email system after being hit hard by the worm (General Motors was not directly affected by the worm, as they do not use Outlook at that company). A partial list of others affected by the virus confirmed by CNET News.com was Silicon Graphics, the Department of Defense (including the Pentagon itself), Daimler-Chrysler, The Motion Picture Association of America, the Federal Reserve and Cox Cable. The worm was responsible for a denial-of-service attack on the official White House website. One web start-up reported losing 40 gigabytes of JPEG images. Estimates of the worm's damage are in between $8.75 billion and $10 billion. Payload Transmission The virus arrives in an email with the subject line of "ILOVEYOU" with an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs" that people were encouraged to open, since the ".vbs" suffix was not visible, thus seeing the ".TXT" suffix. The message body is "kindly check the attached LOVELETTER coming from me." The sender line will be the address it was sent from. The user must download and execute the worm by clicking on it. The worm may also come from an infected computer on the same IRC channel using mIRC. The worm will be in an infected HTML document named LOVE-LETTER-FOR-YOU.TXT.HTM downloaded into the IRC downloads folder. The user must access the .htm file to activate the worm. Internet Explorer security settings do not allow scripts to access disk files and will display a warning when they try to. To work around this, the worm displays a fake message telling the user to give ActiveX control to the .htm file. If the user clicks on "Yes", the worm will infect the system. If the user clicks on "No", the worm reloads the message in an infinite loop until the user clicks on "Yes" to allow it to infect the system. Infection When the worm is executed, it copies itself as the files LOVE-LETTER-FOR-YOU.TXT.VBS and MSKERNEL32.VBS in the Windows_system_folder and WIN32DLL.VBS in the Windows directory. It creates its own key named MSKernel32 under the Local machine registry key that causes programs to run and adds the value MSKERNEL32.VBS to it. It also creates a new Local Machine RunServices key named Win32DLL and adds WIN32DLL.VBS as a value to it, so it will run when the system boots, before the user even logs on. The worm sets the Internet Explorer start page to one of four randomly chosen web pages so that it downloads the file WIN-BUGSFIX.EXE, a trojan. It then adds a registry key for it in the same manner that it registered its own files, so it will run at startup. After the WIN-BUGSFIX.EXE program has been run, it copies itself to the Windows system folder as WinFAT32.EXE and replaces the WIN-BUGSFIX.EXE registry key with one for itself. This file obtains the system's logins, passwords, machine name, IP address, RAS information and some other information about the computer and sends it to mailme@super.net.ph. Loveletter searches for files to modify, mostly by replacing those files with a copy of itself. If the file has a .vbs or .vbe extension, it will simply overwrite the files. If they have the extensions js, jse, css, wsh, sct, or hta, it will overwrite the file as well as the extension, changing it to .vbs, but retaining the original name (program.js becomes program.vbs). For .jpg or .jpeg files, it overwrites them, retains the original file name and extension, but adds .vbs to the extension (picture.jpg becomes picture.jpg.vbs). Mp3 and mp2 files are not overwritten, but rather hidden. Loveletter opens the Outlook email program and scans for email addresses in the Address book. It sends the email with an attached copy of itself The worm scans for the files mirc32.exe, mlink32.exe, mirc.ini, script.ini and mirc.hlp. If it finds one or more of these files, it will generate a new script.ini and place it in the directory where the files are found. The script contains instructions to send the file LOVE-LETTER-FOR-YOU.TXT.HTM to all users on the same IRC channel as well as a comment: ;mIRC Script" ; Please dont edit this script... mIRC will corrupt if mIRC will ; corrupt... WINDOWS will affect and will not run correctly. thanks" ; ;Khaled Mardam-Bey ;http://www.mirc.com Variants The worm itself is a text script program, and it is spread in-text source form. The worm's code may be easily modified by hackers, and as a result, there are many variants of the original worm. Most of them are just minor remakes and differ to the original just in details - there are message-fields text changed, different file names, a different set of affected disk files extensions (for example, .BAT and .INI). The subject, message body, and attached file name in different variants appear as listed below (the first block belongs to original worm version): Media Email-Worm.Win32.Loveletter (ILOVEYOU Worm, 12 years later)|LoveLetter in action. Credit to danooct1. References Carnegie Mellon University Software Engineering Institute, CERT® Advisory CA-2000-04 Love Letter Worm Kaspersky Labs, I-Worm.LoveLetter Sharon Gaudin, Internetnews.com "Virus Damage Worst on Record for August". 2003.09.02 Paul A. Greenberg. E-Commerce Times, "'Love' Virus Damage Could Top $1B". 2000.05.05 Marcia Savage. ChannelWeb, Damage From Love Letter Virus Could Top $10 Billion. 2000.05.00 http://uk.norton.com/top-5-viruses/promo Category:Worm Category:Mass mailer worm Category:VBS Category:Billion dollar damage Category:Social engineer Category:Email worm Category:IRC worm Category:Win32 Category:Win32 worm Category:Microsoft Windows Category:Virus from 2000